[shimV2] adds SCSI disk manager

Add the SCSI manager that manages the full lifecycle of SCSI disk
attachments on a Hyper-V VM. It abstracts host-side slot allocation,
guest-side mount/unmount (with platform-specific paths for LCOW and
WCOW), reference counting for shared disks, and two-phase teardown
(guest unplug followed by host detach).

Signed-off-by: Harsh Rawat <harshrawat@microsoft.com>

Author: rawahars

internal/controller/device/scsi/doc.go

@@ -0,0 +1,138 @@
+//go:build windows
+
+// Package scsi manages the full lifecycle of SCSI disk mappings on a
+// Hyper-V VM, from host-side slot allocation through guest-side mounting.
+//
+// # Architecture
+//
+// [Manager] is the primary entry point, exposing two methods:
+//
+//   - [Manager.MapToGuest]: allocates a SCSI slot (if needed), attaches the
+//     disk to the VM's SCSI bus, and mounts the specified partition inside the
+//     guest. The caller supplies a stable mappingID that identifies the mapping
+//     across retries.
+//   - [Manager.UnmapFromGuest]: unmounts the partition from the guest, and
+//     when all mappings for an attachment are released, unplugs the SCSI
+//     device and detaches the disk from the VM.
+//
+// All operations are serialized by a single mutex on the [Manager]. Guest
+// paths are always auto-generated; callers cannot supply their own.
+//
+// # Layered State Model
+//
+// The state is tracked at two layers:
+//
+//   - [attachment]: represents a disk on the VM's SCSI bus (one per [VMSlot]).
+//     States: attachPending → attachAttached → attachDetaching → attachUnplugged → attachDetached.
+//   - [mount]: represents a partition mounted inside the guest (keyed by
+//     partition index within an attachment).
+//     States: mountPending → mountMounted → mountUnmounted.
+//
+// A third structure, [mapping], links a caller-supplied mappingID to an
+// [attachment] and partition index. It carries no lifecycle state of its own;
+// the [attachment] and [mount] state machines drive all transitions.
+//
+// # Retry / Idempotency
+//
+// Both [Manager.MapToGuest] and [Manager.UnmapFromGuest] are designed to be
+// retriable. On failure, the [attachment] and [mount] states remain at their
+// pre-operation position (no poisoning). A subsequent call with the same
+// mappingID resumes from where the previous attempt stopped.
+//
+// Calling [Manager.MapToGuest] with the same mappingID after a successful call
+// is a no-op that returns the existing guest path.
+//
+// # Attachment Lifecycle
+//
+//	┌──────────────────┐
+//	│  attachPending   │ ← stays here on attach failure (retriable)
+//	└────────┬─────────┘
+//	         │ disk added to VM SCSI bus
+//	         ▼
+//	┌──────────────────┐
+//	│ attachAttached   │
+//	└────────┬─────────┘
+//	  (mounts driven here)
+//	         │ all partitions released;
+//	         │ detach initiated
+//	         ▼
+//	┌──────────────────┐
+//	│ attachDetaching  │ ← stays here on unplug failure (retriable)
+//	└────────┬─────────┘
+//	         │ SCSI device unplugged from guest
+//	         ▼
+//	┌──────────────────┐
+//	│ attachUnplugged  │
+//	└────────┬─────────┘
+//	         │ disk removed from VM SCSI bus
+//	         ▼
+//	┌──────────────────┐
+//	│ attachDetached   │
+//	└──────────────────┘
+//	  (entry removed from map)
+//
+//	┌──────────────────┐
+//	│ attachReserved   │  ← no transitions; pre-reserved at construction
+//	└──────────────────┘
+//
+// # Mount Lifecycle
+//
+//	┌──────────────────┐
+//	│  mountPending    │ ← stays here on mount failure (retriable)
+//	└────────┬─────────┘
+//	         │ guest mount succeeds
+//	         ▼
+//	┌──────────────────┐
+//	│  mountMounted    │
+//	└────────┬─────────┘
+//	         │ refCount → 0;
+//	         │ guest unmount
+//	         ▼
+//	┌──────────────────┐
+//	│ mountUnmounted   │
+//	└──────────────────┘
+//	  (partition entry removed from attachment)
+//
+// # Reference Counting
+//
+// Multiple mappingIDs may target the same disk and partition. [Manager.MapToGuest]
+// detects duplicates and increments a reference count on the [mount] instead of
+// issuing duplicate guest operations; the guest path is shared.
+//
+// [Manager.UnmapFromGuest] decrements the count and only unmounts when it reaches
+// zero.
+//
+// # Platform Variants
+//
+// Guest-side mount, unmount, and unplug steps differ between LCOW and WCOW
+// guests and are selected via build tags (default for the LCOW shim;
+// "wcow" tag for the WCOW shim):
+//
+//   - LCOW: mounts via AddLCOWMappedVirtualDisk, unmounts via
+//     RemoveLCOWMappedVirtualDisk, and unplugs via RemoveSCSIDevice.
+//   - WCOW: mounts via AddWCOWMappedVirtualDisk (or
+//     AddWCOWMappedVirtualDiskForContainerScratch for scratch disks),
+//     unmounts via RemoveWCOWMappedVirtualDisk; unplug is a no-op because
+//     Windows handles SCSI hot-unplug automatically when the host removes
+//     the disk from the VM.
+//
+// # Usage
+//
+//	mgr := scsi.New(vmID, vmScsi, linuxGuestScsi, windowsGuestScsi, numControllers, reservedSlots)
+//
+//	diskConfig := scsi.DiskConfig{HostPath: "/path/to/disk.vhdx", Type: scsi.DiskTypeVirtualDisk}
+//	mountConfig := scsi.MountConfig{ReadOnly: true}
+//
+//	// Map the disk to the guest (allocate slot + attach + mount):
+//	guestPath, err := mgr.MapToGuest(ctx, "container-abc/layer-0", diskConfig, mountConfig)
+//	if err != nil {
+//	    // Retry with the same mappingID to resume:
+//	    guestPath, err = mgr.MapToGuest(ctx, "container-abc/layer-0", diskConfig, mountConfig)
+//	}
+//
+//	// Unmap (unmount + unplug + detach when last mapping):
+//	if err := mgr.UnmapFromGuest(ctx, "container-abc/layer-0"); err != nil {
+//	    // Retry:
+//	    _ = mgr.UnmapFromGuest(ctx, "container-abc/layer-0")
+//	}
+package scsi

internal/controller/device/scsi/scsi.go

@@ -0,0 +1,71 @@
+//go:build windows
+
+package scsi
+
+import (
+	"sync"
+)
+
+// Manager implements the methods to manage the full SCSI disk lifecycle —
+// slot allocation, VM attach, guest mount, and teardown — across one or more
+// controllers on a Hyper-V VM. All operations are serialized by a single mutex.
+type Manager struct {
+	// mu serializes all public operations on the Manager.
+	mu sync.Mutex
+
+	// vmID identifies the HCS compute system. Immutable after construction.
+	vmID string
+
+	// numControllers is the number of SCSI controllers on the VM. Immutable after construction.
+	numControllers int
+
+	// attachmentMap tracks SCSI slot occupancy keyed by controller and LUN. Guarded by mu.
+	attachmentMap map[VMSlot]*attachment
+
+	// mappingMap indexes active mappings by caller-supplied ID. Guarded by mu.
+	mappingMap map[string]*mapping
+
+	// nextMountIdx is a monotonic counter for generating unique guest mount paths. Guarded by mu.
+	nextMountIdx int
+
+	// vmSCSI is the host-side interface for adding and removing disks from the VM. Immutable after construction.
+	vmSCSI vmSCSI
+
+	// linuxGuestSCSI is the guest-side interface for SCSI operations in LCOW guests. Immutable after construction.
+	linuxGuestSCSI linuxGuestSCSI
+
+	// windowsGuestSCSI is the guest-side interface for SCSI operations in WCOW guests. Immutable after construction.
+	windowsGuestSCSI windowsGuestSCSI
+}
+
+// New creates a new [Manager] for the given VM and controllers.
+func New(
+	vmID string,
+	vmScsi vmSCSI,
+	linuxGuestScsi linuxGuestSCSI,
+	windowsGuestScsi windowsGuestSCSI,
+	numControllers int,
+	reservedSlots []VMSlot,
+) *Manager {
+	m := &Manager{
+		vmID:             vmID,
+		numControllers:   numControllers,
+		attachmentMap:    make(map[VMSlot]*attachment),
+		mappingMap:       make(map[string]*mapping),
+		vmSCSI:           vmScsi,
+		linuxGuestSCSI:   linuxGuestScsi,
+		windowsGuestSCSI: windowsGuestScsi,
+	}
+
+	// Pre-populate attachmentMap with reserved slots so they are never allocated.
+	for _, s := range reservedSlots {
+		m.attachmentMap[s] = &attachment{
+			controller: s.Controller,
+			lun:        s.LUN,
+			state:      attachReserved,
+			partitions: make(map[uint64]*mount),
+		}
+	}
+
+	return m
+}

internal/controller/device/scsi/scsi_lcow.go

@@ -0,0 +1,71 @@
+//go:build windows && !wcow
+
+package scsi
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
+)
+
+// mountFmt is the guest path template for SCSI mounts on LCOW.
+const mountFmt = "/run/mounts/scsi/m%d"
+
+// mountInGuest mounts a SCSI disk partition into the Linux guest at the path
+// stored in [mount.guestPath].
+func (m *Manager) mountInGuest(ctx context.Context, controller, lun uint, mnt *mount) error {
+	settings := guestresource.LCOWMappedVirtualDisk{
+		MountPath:        mnt.guestPath,
+		Controller:       uint8(controller),
+		Lun:              uint8(lun),
+		Partition:        mnt.config.Partition,
+		ReadOnly:         mnt.config.ReadOnly,
+		Encrypted:        mnt.config.Encrypted,
+		Options:          mnt.config.Options,
+		EnsureFilesystem: mnt.config.EnsureFilesystem,
+		Filesystem:       mnt.config.Filesystem,
+		BlockDev:         mnt.config.BlockDev,
+	}
+	if err := m.linuxGuestSCSI.AddLCOWMappedVirtualDisk(ctx, settings); err != nil {
+		return fmt.Errorf("add LCOW mapped virtual disk controller=%d lun=%d: %w", controller, lun, err)
+	}
+	return nil
+}
+
+// unmountFromGuest unmounts the SCSI disk partition from the Linux guest.
+func (m *Manager) unmountFromGuest(ctx context.Context, controller, lun uint, mnt *mount) error {
+	settings := guestresource.LCOWMappedVirtualDisk{
+		MountPath:  mnt.guestPath,
+		Controller: uint8(controller),
+		Lun:        uint8(lun),
+		ReadOnly:   mnt.config.ReadOnly,
+		Partition:  mnt.config.Partition,
+		BlockDev:   mnt.config.BlockDev,
+	}
+	if err := m.linuxGuestSCSI.RemoveLCOWMappedVirtualDisk(ctx, settings); err != nil {
+		return fmt.Errorf("remove LCOW mapped virtual disk controller=%d lun=%d path=%q: %w",
+			controller, lun, mnt.guestPath, err)
+	}
+	return nil
+}
+
+// unplugFromGuest ejects a SCSI device from the Linux guest before the host
+// removes it from the VM.
+func (m *Manager) unplugFromGuest(ctx context.Context, controller, lun uint) error {
+	settings := guestresource.SCSIDevice{
+		Controller: uint8(controller),
+		Lun:        uint8(lun),
+	}
+
+	// RemoveSCSIDevice sends a guest modification request that the GCS handles
+	// by first remapping the logical controller number to the actual kernel-visible
+	// controller index (HCS and the Linux kernel assign them independently), then
+	// writing "1" to /sys/bus/scsi/devices/<id>/delete. That sysfs write is a
+	// guest-initiated hot-unplug: the kernel removes the device from its bus and
+	// flushes any in-flight I/O before the host removes the disk from the VM.
+	if err := m.linuxGuestSCSI.RemoveSCSIDevice(ctx, settings); err != nil {
+		return fmt.Errorf("remove scsi device at controller=%d lun=%d from lcow guest: %w", controller, lun, err)
+	}
+	return nil
+}